openbsd
/
www
mirror of https://github.com/openbsd/www.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

remove two stray backticks and add quotes after href for consistency. 

from andras farkas
This commit is contained in:
tb 2022-07-15 06:46:06 +00:00
parent e21cc2a888
commit d582ffb169
1 changed files with 83 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
71.html
View File

@ -317,7 +317,7 @@ to 7.1.
<li>Added a <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
cache of regions between 128k and 2M to accommodate programs
allocating and deallocating regions of these sizes quickly.
` <li>Added <a href="https://man.openbsd.org/pax.1">pax(1)</a> support
<li>Added <a href="https://man.openbsd.org/pax.1">pax(1)</a> support
for mtime/atime/ctime extended headers (in not-SMALL builds).
<li>Added -k flag to <a
href="https://man.openbsd.org/gzip.1">gzip(1)</a> and <a
@ -471,7 +471,7 @@ to 7.1.
<li>Added support for tpm2 CRB interface to <a
href="https://man.openbsd.org/tpm.4">tpm(4)</a>, fixing recent S4
regressions on the Surface Go 2 caused by a firmware change.
` <li>Ensured armv7 and arm64 efiboot allocate fresh memory for the
<li>Ensured armv7 and arm64 efiboot allocate fresh memory for the
device tree with at least one page of free space to extend into. This
fixes booting on VMWare Fusion.
<li>Stopped binding audio devices exposed by <a
@ -1075,7 +1075,7 @@ to 7.1.
<li>Security
<ul>
<!-- OpenSSH 8.9 -->
<li>Near miss in <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li>Near miss in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
fix an integer overflow in the user authentication path
that, in conjunction with other logic errors, could have yielded
unauthenticated access under difficult to exploit conditions.<br>
@ -1090,44 +1090,44 @@ to 7.1.
<li>In OpenSSH 8.9 the FIDO security key middleware interface
changed and increments SSH_SK_VERSION_MAJOR.
<!-- OpenSSH 9.0 -->
<li>This release switches <a href=https://man.openbsd.org/scp.1>scp(1)</a>
<li>This release switches <a href="https://man.openbsd.org/scp.1">scp(1)</a>
from using the legacy scp/rcp protocol
to using the SFTP protocol by default.<br>
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on <a href=https://man.openbsd.org/scp.1>scp(1)</a>
included on <a href="https://man.openbsd.org/scp.1">scp(1)</a>
command-lines, otherwise they could be interpreted
as shell commands on the remote side.<br>
This creates one area of potential incompatibility:
<a href=https://man.openbsd.org/scp.1>scp(1)</a> when using
<a href="https://man.openbsd.org/scp.1">scp(1)</a> when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in <a href=https://man.openbsd.org/scp.1>scp(1)</a>
legacy scp/rcp in <a href="https://man.openbsd.org/scp.1">scp(1)</a>
when using the SFTP protocol.<br>
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However,
<a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a>
<a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>
in OpenSSH 8.7 and later support a protocol extension
"expand-path@openssh.com" to support this.<br>
In case of incompatibility, the
<a href=https://man.openbsd.org/scp.1>scp(1)</a> client may be instructed to use
<a href="https://man.openbsd.org/scp.1">scp(1)</a> client may be instructed to use
the legacy scp/rcp using the -O flag.
</ul>
<li>New features
<ul>
<!-- OpenSSH 8.9 -->
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>,
<a href=https://man.openbsd.org/ssh-add.1>ssh-add(1)</a>,
<a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
<a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
add a system for restricting forwarding and use of keys added to
<a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>
A detailed description of the feature is available at
https://www.openssh.com/agent-restrict.html and the protocol
extensions are documented in the
@ -1135,52 +1135,52 @@ to 7.1.
>PROTOCOL</a> and
<a href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.agent?annotate=OPENBSD_7_1"
>PROTOCOL.agent</a> files in the source release.
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones).
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
when downloading resident keys from a FIDO token,
pass back the user ID that was used when the key was created and
append it to the filename the key is written to (if it is not the
default). Avoids keys being clobbered if the user created multiple
resident keys with the same application string but different user
IDs.
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>,
<a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
better handling for FIDO keys
on tokens that provide user verification (UV) on the device itself,
including biometric keys, avoiding unnecessary PIN prompts.
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: add "ssh-keygen -Y match-principals" operation to
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add "ssh-keygen -Y match-principals" operation to
perform matching of principals names against an allowed signers
file. To be used towards a TOFU model for SSH signatures in git.
<li><a href=https://man.openbsd.org/ssh-add.1>ssh-add(1)</a>,
<a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
<li><a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
allow pin-required FIDO keys to be added
to <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>.
to <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>.
$SSH_ASKPASS will be used to request the PIN at authentication time.
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
allow selection of hash at sshsig signing time
(either sha512 (default) or sha256).
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
read network data directly to the packet input
buffer instead of indirectly via a small stack buffer. Provides a
modest performance improvement.
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
read data directly to the channel input buffer,
providing a similar modest performance improvement.
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
extend the PubkeyAuthentication configuration directive to
accept yes|no|unbound|host-bound to allow control over one of the
protocol extensions used to implement agent-restricted keys.
<!-- OpenSSH 9.0 -->
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
@ -1194,11 +1194,11 @@ to 7.1.
later" attacks where an adversary who can record and store SSH
session ciphertext would be able to decrypt it once a sufficiently
advanced quantum computer is available.
<li><a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a>:
<li><a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>:
support the "copy-data" extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00.
<li><a href=https://man.openbsd.org/sftp.1>sftp(1)</a>:
<li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>:
add a "cp" command to allow the sftp client to perform
server-side file copies.
</ul>
@ -1206,69 +1206,69 @@ to 7.1.
<li>Bugfixes
<ul>
<!-- OpenSSH 8.9 -->
<li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
document that CASignatureAlgorithms, ExposeAuthInfo and
PubkeyAuthOptions can be used in a Match block.
<li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
fix possible string truncation when constructing paths to
.rhosts/.shosts files with very long user home directory names.
<li>ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
exchange hashes
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
don't put the TTY into raw mode when SessionType=none,
avoids ^C being unable to kill such a session.
<li><a href=https://man.openbsd.org/scp.1>scp(1)</a>:
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
fix some corner-case bugs in SFTP-mode handling of
~-prefixed paths.
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
unbreak hostbased auth using RSA keys. Allow
<a href=https://man.openbsd.org/ssh.1>ssh(1)</a> to
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to
select RSA keys when only RSA/SHA2 signature algorithms are
configured (this is the default case). Previously RSA keys were
not being considered in the default case.
<li>ssh-keysign(1): make ssh-keysign use the requested signature
algorithm and not the default for the key type. Part of unbreaking
hostbased auth for RSA/SHA2 keys.
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
stricter UpdateHostkey signature verification logic on
the client- side. Require RSA/SHA2 signatures for RSA hostkeys
except when RSA/SHA1 was explicitly negotiated during initial
KEX
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
fix signature algorithm selection logic for
UpdateHostkeys on the server side. The previous code tried to
prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
cases. This will use RSA/SHA2 signatures for RSA keys if the
client proposed these algorithms in initial KEX.
<li>All: convert all uses of
<a href=https://man.openbsd.org/select.2>select(2)</a>/
<a href=https://man.openbsd.org/pselect.2>pselect(2)</a> to
<a href=https://man.openbsd.org/poll.2>poll(2)</a>/
<a href=https://man.openbsd.org/ppoll.2>ppoll(2)</a>.
<a href="https://man.openbsd.org/select.2">select(2)</a>/
<a href="https://man.openbsd.org/pselect.2">pselect(2)</a> to
<a href="https://man.openbsd.org/poll.2">poll(2)</a>/
<a href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>.
This includes the mainloops in
<a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>,
<a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>
and <a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a>,
as well as the <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>
and <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>,
as well as the <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
listen loop and all other FD read/writability checks.
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
the "-Y find-principals" command was verifying key
validity when using ca certs but not with simple key lifetimes
within the allowed signers file.
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
make sshsig verify-time argument parsing optional
<li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
fix truncation in rhosts/shosts path construction.
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
avoid xmalloc(0) for PKCS#11 keyid for ECDSA
keys (we already did this for RSA keys). Avoids fatal errors for
PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
"cryptoauthlib"
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
improve the testing of credentials against
inserted FIDO: ask the token whether a particular key belongs to
it in cases where the token supports on-token user-verification
@ -1276,62 +1276,62 @@ to 7.1.
Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases.
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
correct value for IPTOS_DSCP_LE. It needs to
allow for the preceding two ECN bits.
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
add missing -O option to usage() for the "-Y sign" option.
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
fix a NULL deref when using the find-principals
function, when matching an allowed_signers line that contains a
namespace restriction, but no restriction specified on the
command-line
<li><a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>:
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
fix memleak in process_extension(); oss-fuzz issue #42719
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
suppress "Connection to xxx closed" messages when LogLevel
is set to "error" or above.
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
use correct zlib flags when inflate(3)-ing compressed packet data.
<li><a href=https://man.openbsd.org/scp.1>scp(1)</a>:
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
when recursively transferring files in SFTP mode, create the
destination directory if it doesn't already exist to match
<a href=https://man.openbsd.org/scp.1>scp(1)</a> in
<a href="https://man.openbsd.org/scp.1">scp(1)</a> in
legacy RCP mode behaviour.
<li><a href=https://man.openbsd.org/scp.1>scp(1)</a>:
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
many improvements in error message consistency between
<a href=https://man.openbsd.org/scp.1>scp(1)</a>
<a href="https://man.openbsd.org/scp.1">scp(1)</a>
in SFTP mode vs legacy RCP mode.
<li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
fix potential race in SIGTERM handling
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8))</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8))</a>:
since DSA keys are deprecated, move them to the end of the default
list of public keys so that they will be tried last.
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
allow 'ssh-keygen -Y find-principals' to match
wildcard principals in allowed_signers files
<!-- OpenSSH 9.0 -->
<li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>,
<a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
fix
<a href=https://man.openbsd.org/poll.2>poll(2)</a> spin when a
<a href="https://man.openbsd.org/poll.2">poll(2)</a> spin when a
channel's output fd closes without data in the channel buffer.
<li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
pack pollfd array in server listen/accept loop. Could
cause the server to hang/spin when MaxStartups &gt; RLIMIT_NOFILE
<li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>:
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
avoid NULL deref via the find-principals and check-novalidate operations.
<li><a href=https://man.openbsd.org/scp.1>scp(1)</a>:
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>:
fix a memory leak in argument processing.
<li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
don't try to resolve ListenAddress directives in the sshd
re-exec path. They are unused after re-exec and parsing errors
(possible for example if the host's network configuration changed)
could prevent connections from being accepted.
<li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>:
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
when refusing a public key authentication request from a
client for using an unapproved or unsupported signature algorithm
include the algorithm name in the log message to make debugging